Firewall rules ignored or overridden?

johnpoz

If you have a any any rule and your seeing blocks, to some specific IP with anything other than Syn as your flag - then yeah you either have out of state traffic from like a cell phone or wifi or something that was in standby mode for a long time.  Or as mentioned a asymmetrical routing issue.

Why don't you draw up your network so we can take a look see.  You for sure should not have to set sloppy state on your rules.

deadbolt_forum

"statetype" = "sloppy state" did not resolve the issue.  I guess I didn't wait long enough for the error to recur last night.  I am still having the same problem with 993 packets showing up as blocked in the log.

Network diagram couldn't be simpler.
ISP -> Modem -> Pfsense -> Workstation

deadbolt_forum

Since the service is email which get polled periodically, perhaps the sessions go stale between polling the service for new emails.  If I set the rule with a really high state timeout does anyone think that will solve the issue?

In System -> Advanced -> Firewall & NAT -> Firewall Optimization Options = Normal.  Perhaps this causing sessions to be closed too early.

Derelict

No. The default settings should be fine.  What are the "Various flags" you're seeing on TCP.

If it's not just plain```
[s] you are seeing likely out-of-state traffic which should be harmless.

Is anything actually not working or are you just looking at the logs?

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection[/s]

deadbolt_forum

Recent flags include the following sets: PA, RA, R, A, FA

Also, 6min of traffic is enough to completely fill the last 50 entries visible in the system logs making it hard to see any other traffic.

Derelict

Did you read that doc link?

Then filter on the information you're looking for.

deadbolt_forum

I just read that doc link.  I have no clustering or load balancing and no multi-WAN.  Also, there are no gateways set on the LAN interface settings.  If Asymmetric Routing is occurring then it must be on Comcast's backend network since my computer only has a single routable path to the Internet.

As per the manual fix in that document, I have reenabled "State Type" = "sloppy state" and this time added "TCP flags" = "Any flags".  Also, I added the same rule on the LAN in the outbound direction using a floating rule.  It will take a couple of hours to collect enough traffic to know if this solution works or not.  I will report back once I know for sure.

Thanks for the helpful suggestions.

Derelict

The top section. If the other sections are N/A, they're N/A.

johnpoz

Not sure what your doing but if this is what you have
ISP -> Modem -> Pfsense -> Workstation

I really don't see how its possible you could have asymmetrical routing.  Unless you have wifi and wired connected on your workstation at the same time.  you for sure should not have to set any sort of sloppy states on any rules.

Did you read the link about legit traffic blocked in the logs Derelict provided?  Can you post up a sample of what your seeing via a screenshot not some ascii art.

You know you can increase the number of logs displayed in the log in the gui, you can also go to the actual files.  What exactly are you seeing blocked.  Badly written code that doesn't send keep alives and doesn't talk for hours and then tries to continue the conversation could cause out of state blocks.  Because the firewall will after a specific time not seeing any traffic on a specific state will close that state.  If it then sees traffic it would be blocked for being out of state.

deadbolt_forum

I understand that legitimate traffic will be blocked and usually I see that in the logs as a few orphan packets coming in when a session has ended or expired.  What I don't expect to see is over 50 blocked packets every 11min completely filling up my logs and making logging useless.  Either these packets should be dropped silently or better yet the appropriate rule should be identified to pass the traffic through.  I have included a screenshot of the System Log Firewall page.  Due to the length of the scrollable page it took three images.  Also, I have redacted my public IP for privacy.

Derelict

Lots of blocks outbound on WAN? What did you do in floating rules?

deadbolt_forum

According to the logs, the rules causing the blocks are as follows:

The rule that triggered this action is:
@8(1000000106) block drop out log inet6 all label "Default deny rule IPv6"

AND

The rule that triggered this action is:
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"

There are no floating rules except for some VOIP QoS rules created by the Traffic Shaper wizard which are completely unrelated.  I removed the previous floating rule because I think we can all agree that this is not an Asymmetric Routing issue.  The previous rule I created was the one listed in the document that was linked to which said to create a floating rule on the LAN for outbound traffic for IPv4 TCP 993 traffic with ANY flags and Sloppy State.  I have also reverted the pass rule on the LAN for TCP 993 so that the advanced option ANY flags is removed and Sloppy State is back to keep.

Derelict

If you think those are log spam, go to Status > System Logs, Settings tab and uncheck Log firewall default blocks.

deadbolt_forum

While I agree that disabling logging of the default rule would remove these packets from the log, that doesn't really help.  I would like to be able to see what packets are being blocked by the firewall and hiding all blocked packets just to get rid of the ones from port 993 is overkill.  If the solution is to hide these packets from the log instead of passing them through the firewall, then I would want to create a more specific block rule that only matched these packets with no logging so that I could continue to see packets blocked by the default rule.

Derelict

Your IMAP client is trying to use a connection after the state has been deleted for inactivity or it is otherwise misbehaving.

What isn't working other than the logs you are seeing?

The default timeout for an established TCP state is:

tcp.established          86400s

One whole day. With zero activity.

Not sure how long you think the states should be kept around but feel free to adjust that.

deadbolt_forum

I'm fine with 1day but I suspect that sessions are closed after 1hr or less.

Where do you see that setting?  I do not see an entry for tcp.established in /tmp/rules.debug.  Also, is that the default setting when "Firewall Optimization Options" = Normal?  Or is that for a different setting like conservative?

Derelict

That is the setting for Normal.

This is an existing IMAP state for my mail client:

igb0_vlan223 tcp 192.0.2.96:143 <- 192.168.223.6:52466      ESTABLISHED:ESTABLISHED
  [3857059653 + 131008] wscale 1  [3105376859 + 66608] wscale 5
  age 94:39:32, expires in 23:59:54, 64046:44625 pkts, 11286281:32760196 bytes, rule 283
  id: 00000000585fc42a creatorid: 5297d028
igb1 tcp 192.51.100.226:13887 (192.168.223.6:52466) -> 192.0.2.96:143      ESTABLISHED:ESTABLISHED
  [3105376859 + 66608] wscale 5  [3857059653 + 131008] wscale 1
  age 94:39:32, expires in 23:59:54, 64046:44625 pkts, 11286281:32760196 bytes, rule 211

You can get the same thing with:

pfctl -vvss | grep -a2 mailserverip:993

Existing state timeouts:

pfctl -st

deadbolt_forum

Immediately after seeing blocked packets in the log, I search for the server that was blocked using the command you provided.
pfctl -vvss | grep -a2 207.46.10.10:993

igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65410      TIME_WAIT:TIME_WAIT
  [1970684899 + 130688] wscale 0  [2546679215 + 5346] wscale 5
  age 00:03:58, expires in 00:00:10, 24:19 pkts, 2348:5296 bytes, rule 143
  id: 010000005822dc19 creatorid: fe76c013
igb0 tcp X.X.X.X:46700 (192.168.1.40:65410) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
  [2546679215 + 5346] wscale 5  [1970684899 + 130688] wscale 0
  age 00:03:58, expires in 00:00:10, 24:19 pkts, 2348:5296 bytes, rule 88
  id: 010000005822dc1a creatorid: fe76c013
igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65412      TIME_WAIT:TIME_WAIT
  [3526826672 + 130731] wscale 0  [4281023330 + 5256] wscale 5
  age 00:03:58, expires in 00:00:08, 21:16 pkts, 2102:4714 bytes, rule 143
  id: 010000005822dc1b creatorid: fe76c013
igb0 tcp X.X.X.X:39701 (192.168.1.40:65412) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
  [4281023330 + 5256] wscale 5  [3526826672 + 130731] wscale 0
  age 00:03:58, expires in 00:00:08, 21:16 pkts, 2102:4714 bytes, rule 88
–
  age 00:07:20, expires in 23:52:41, 9:9 pkts, 1607:1079 bytes, rule 87
  id: 0000000058236060 creatorid: fe76c013
igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65411      TIME_WAIT:TIME_WAIT
  [3710722489 + 129846] wscale 0  [766408712 + 5526] wscale 5
  age 00:03:58, expires in 00:00:07, 27:22 pkts, 2684:6934 bytes, rule 143
  id: 00000000582360ae creatorid: fe76c013
igb0 tcp X.X.X.X:13185 (192.168.1.40:65411) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
  [766408712 + 5526] wscale 5  [3710722489 + 129846] wscale 0
  age 00:03:58, expires in 00:00:07, 27:22 pkts, 2684:6934 bytes, rule 88
  id: 00000000582360af creatorid: fe76c013
igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65413      TIME_WAIT:TIME_WAIT
  [2772107354 + 130731] wscale 0  [1219956310 + 5256] wscale 5
  age 00:03:58, expires in 00:00:11, 21:16 pkts, 2102:4714 bytes, rule 143
  id: 00000000582360b0 creatorid: fe76c013
igb0 tcp X.X.X.X:49628 (192.168.1.40:65413) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
  [1219956310 + 5256] wscale 5  [2772107354 + 130731] wscale 0
  age 00:03:58, expires in 00:00:11, 21:16 pkts, 2102:4714 bytes, rule 88
–
  age 00:02:10, expires in 00:00:07, 11:10 pkts, 1193:1059 bytes, rule 88
  id: 00000000582360d3 creatorid: fe76c013
igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65417      ESTABLISHED:ESTABLISHED
  [3804055570 + 130731] wscale 0  [4282722200 + 5256] wscale 5
  age 00:02:02, expires in 23:58:01, 21:16 pkts, 2102:4726 bytes, rule 143
  id: 00000000582360d6 creatorid: fe76c013
igb0 tcp X.X.X.X:31046 (192.168.1.40:65417) -> 207.46.10.10:993      ESTABLISHED:ESTABLISHED
  [4282722200 + 5256] wscale 5  [3804055570 + 130731] wscale 0
  age 00:02:02, expires in 23:58:01, 21:16 pkts, 2102:4726 bytes, rule 88

The established connections have the expected 24hr session time.  The waiting connections have about 4min.  Several minutes later if I check the state again with the command, all of the sessions are closed except for a few sessions about to time out.

igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65417      TIME_WAIT:TIME_WAIT
  [3804055570 + 130731] wscale 0  [4282722200 + 5256] wscale 5
  age 00:03:59, expires in 00:00:05, 21:17 pkts, 2102:4766 bytes, rule 143
  id: 00000000582360d6 creatorid: fe76c013
igb0 tcp X.X.X.X:31046 (192.168.1.40:65417) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
  [4282722200 + 5256] wscale 5  [3804055570 + 130731] wscale 0
  age 00:03:59, expires in 00:00:05, 21:17 pkts, 2102:4766 bytes, rule 88

Derelict

There is no explanation but that your client or the server is closing them.

You will have to packet capture to see what's actually happening.

Harvy66

There only two reason states get closed short of a reboot or someone killing them via PFSense management or custom package. Time out or a packet that tells the connection to end, RST or FIN. It seems the timeout is not the case. I could guess at what the issue is, but I wouldn't want to be wrong.